lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CACkBjsbx7gDCjBOZMxK0tK0LopY9hvSt_EL2Kz5FzvHjsaddHQ@mail.gmail.com>
Date: Sat, 15 Nov 2025 10:22:08 +0100
From: Hao Sun <sunhao.th@...il.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: bpf <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>, 
	Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Eduard <eddyz87@...il.com>, 
	John Fastabend <john.fastabend@...il.com>, Martin KaFai Lau <martin.lau@...ux.dev>, 
	Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>, 
	LKML <linux-kernel@...r.kernel.org>, Hao Sun <hao.sun@....ethz.ch>
Subject: Re: [PATCH RFC 00/17] bpf: Introduce proof-based verifier enhancement

On Sat, Nov 15, 2025 at 3:27 AM Alexei Starovoitov
<alexei.starovoitov@...il.com> wrote:
>
> This is not a review yet. Small question first.
>
> Your github repo has ~1500 bpf object files,
> while here and in the paper you mention 512.
> What's the difference?
>

1588 is the total number of objects before any deduplication:
 `find ./bpf-progs -name '*.o' -type f | wc -l`.

512 (503 + 9) is the number of objects dedupped based on the verifier
log (see[1]).
Since those objects are compiled with different configurations, but
some are from
the same source progs, so after loading, I ensured that the objects must trigger
different analysis processes, which is indicated by the number of instructions
analyzed and the number of states (captured from the last few lines of the
verifier's log).

Since some different objects may be deemed as dup, I still keep all the objects
in the repo for reference.

[1] dedup: https://github.com/SunHao-0/BCF/blob/artifact-evaluation/scripts/process_bcf_result.py#L334

> I tried to categorize failures from many of these ~1500
> and lots of them are similar.
>
> In paper you mention 3 examples:
> - ptr + str_pos, with size MAX - str_pos
> - s>>= 31
> - &= 0xffff
>
> Did you categorize all 1500 failures into categories?
>
> What are the specific gaps in the verifier beyond these 3 cases ?

Categorizing all the failures was not easy (e.g., I tried to write some regexs
based on the error logs, but there were just too many), below is a rough
result I did a long time ago:

    "min value is outside of the allowed memory range",
    "max value is outside of the allowed memory range",
    "invalid bpf_context access",
    "invalid access to packet",
    "invalid read from stack",
    "invalid mem access \'scalar\'",
    "read_ok",
    "BPF program is too large",
    "invalid zero-sized read",
    "At program exit the register...",
    "call bpf_csum_diff...",
    "invalid size of register spill",
    "math between map_value pointer and register with unbounded min value".

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ